Thursday, August 26, 2010

Yesterday Taiwanese Criminal Investigation Bureau Commissioner Lin Teh-hua announced the largest cybercrime operation in the history of his organization. (The Criminal Investigation Bureau's report, in Chinese, is here). 548 Taiwanese police officers and 2,720 Chinese police officers took part in the operation which resulted in 450 fraudsters being arrested throughout Taiwan and in the Chinese provinces of Fujian, Huanan, Hubei, Anhui, Guangdong and Guangxi. After a joint operations agreement was signed between Chinese and Taiwanese authorities, more than 16 joint raids have been conducted leading to more than 1,000 arrests.

In this case, the activity particularly focused on telephone fraud and internet auction fraud. The arrests come close on the heels of the break up of a similar fraud ring in Ho Chi Minh City where 99 fraudsters from Taiwan and China were arrested. In the Vietnamese fraud, where 76 Taiwanese and 23 Chinese citizens were arrested, fraudsters would take over entire hotels, booking as many as 30 to 40 hotel rooms for their fraud. They would place randome phone calls, posing as telecom officials, police officers, or prosecutors, and urge people to wire money to specified accounts. Some individuals lost millions of dollars in that fraud. The Ho Chi Minh case made note that on July 1st there had been a related raid where 32 Taiwanese and 14 Chinese were arrested. Major General Huynh Huu Chien of the Ministry of Public Security called it the largest foreign hacker ring ever in Vietnam, saying that they also had been doing ATM fraud, hacking into foreign banks and using ATM card readers to steal from more than 200 foreign bank accounts and financial institutions.

The Vietnam case continued on August 13th, when police arrested eleven Taiwanese men and two women in Can Tho. In that case, the police seized laptops, phones, walkie-talkies, and most intriguingly more than 50 "fraud scripts" that guided the fraudsters through the "play" of imitating a police officer or state agency official in order to further their fraud.

The Taiwanese-Chinese arrests this week seem to be more of the same, as police explain that the groups formed temporary "Telephone Fraud Centers" where the scammers placed calls following elaborate scripts that helped them to perpetrate their frauds. In Taiwan, in addition to the seizure of laptops, cell phones, and fraud manuals, fake courier uniforms were found.

This raid began to be built after a large meeting in China's Fujian Province where police from across China came together in Ningde to address illegal telecom operations, money laundering, impersonation of public agencies for fraud, and online shopping scams, but the case actually originated with the arrest of "Rong Yu" who was arrested back in April when police discovered he had been operating a fraud from the Taizhong Emperor Hotel, pretending to be a Shen Fuwen law clerk. By tracing the criminal contacts of this phony law clerk, more than seven other similar groups were identified, including the identification of the group's headquarters in Hunan Province.

The group was also found to be related to a fake online auction group - the Wuhan Pride network (www.dey100.com). This group, which claimed to be an online trading company, was involved in both the sale of goods that were never actually delivered, but also ATM fraud conducted after stealing banking information from the buyers of those fake goods! Some of the victims report getting very strange deliveries, such as ordering goods online and receiving an empty CD box or a package of soap instead of what they ordered. When they called to complain, this allowed the fraudsters to gather additional personal information about them that allowed further fraud to occur.

I hope more details of this fraud will be revealed in the next few days, but for now, I want to offer congratulations to the investigators who are helping to clean up online crime throughout China and Taiwan!

In the UAB Spam Data Mine we received between 450 and 539 copies of each of these spam messages.

The body of the email has the same text for each, with only the name varying. The name used in the body of the email doesn't necessarily match the name in the subject line. Here's an example:

Cameron Diaz died along with 34 other people when the Air Force CT-43 "Bobcat" passenger plane carrying the group on a trip crashed into a mountainside while approaching the Dubrovnik airport in Croatia during heavy rain and poor visibility.

Please see attachment

The attachment is called "News.html" is "base64" encoded, but if you click on it, it will launch in a web browser.

The HTML is composed of javascript functions which takes substrings of pieces of code and composes them together to make a URL:

Monday, August 09, 2010

By now you're certainly well aware of the fact that the CAN-SPAM ACT is basically ignored by law enforcement with an occasional exception once or twice a year where someone actually goes to jail.

The question remains, how do we convince the limited resources of law enforcement that a spammer is more than "just another spammer" and is actually someone who should be pursued?

As we were looking through spam clusters on the UAB Spam Data Mine this weekend, one interesting pattern stood out, because it seemed to be an indication that a particular viagra spammer may actually be breaking in to websites (that is, committing violations of Title 18 Section 1030, "Computer Intrusion") in order to avoid being caught as a spammer.

This particular spammer sent us 359,205 spam messages between July 14, 2010 and July 30, 2010. While some were part of the group that uses the pattern:

I was actually far more interested in another subgroup from this spammer.

The 498 websites listed below are each a pre-existing website which has been hacked in the same manner that a phisher may hack a website. In this case a single file has been placed on each server, and it is that file that is used in the spam messages. Although the spam that I used to generate this group was all from July 14 to July 30, 299 of the websites remain "hacked" as of this writing.

If you are a webmaster for one of the sites listed below, we would be very interested in three facts from you:

1) do you have any log or theory showing how your website was hacked?

2) do you have logs that we could review to count how many people "clicked through" your site?

3) have you experienced other forms of defacement since being hacked by the "viagra hacker?"

After talking about the traditional phishing, and the statistics that we have about phishing through our UAB Phishing Operations and UAB Phishing Intelligence teams, I shared with the group that while phishing is continuing to be on the rise, compromise of banking credentials through malware is an ever growing threat.

To demonstrate the problem with malware, I opened one of my spam receiving email accounts as a user and clicked on several email messages.

I clicked on an email from July 30th that warned me that "FDIC has officially named your bank failed bank", clicked the attachment, and demonstrated my anti-virus product (on this machine I was using Microsoft Forefront) successfully protected me from the malware.

Then I clicked on an email from July 31st that claimed to have details on "Your order from Amazon.com". Again, my AV popped on the attachment.

Then I clicked on an email from August 2nd with the subject "DHL Tracking number 080231". Pop! Virus!

Then I clicked on an email from August 3rd with the subject "Notice of Underreported Incomeir" - "yeah, Incomeir" not Income. Those guys at IRS apparently don't have a spell-checker. Pop! Virus!

Then I clicked on an email that was about four hours old - "You have received a file from (email) via YouSendIt." No warning. So we unpacked the zip file and sent it to VirusTotal. 11 of 42 detections. Note that at VirusTotal, Microsoft was described as being a product that detected the malware, but VirusTotal was running a slightly newer (by a few hours) version of the AV than my laptop. Symantec and Trend and several other "big players" weren't detecting yet, but I told my audience that really didn't mean one was better than another - it was more or less a shooting of the dice who would be the "first detector."

So, what's going on with all of these new malware attachments? I would describe it as a "Zeus's Greatest Hits" campaign. Some of the most successful "Zbot spreading" spam campaigns are all being re-issued, only as attached-malware spam instead of "sending to website" spam. I've linked previous blog posts about Zeus campaigns to some of the top spam subjects in the list below. If we just look at spam for this week in the UAB Spam Data Mine, we see things like:

How do we know that these emails might be related to one another? The primary reason is how I selected the list that you see above. In the UAB Spam Data Mine, I picked one of the common subjects that are being used to spread this malware, and said "Show me all the email subjects sent from the same IP address as emails which sent me the subject 'You have received an Greeting eCard' and limit myself to only consider emails from August 2010."

All of the subjects in the list above were part of the response. Now, there were also hundreds of thousands of other emails - mostly selling Viagra and watches, but ALL of the subjects above were sent from computers that also sent at least one email with the "You have received an Greeting eCard" email.

What is the malware? If you are "into" MD5s, you can check them out yourself. In the emails above, the technique is to send an executable file within a ZIP file attached to the email. Here are the most popular '.zip' attachments so far in August:

The ones with low counts are mostly going to be the very newest versions (or ones that were sent in July and ended early on August 1st).

Some detects are pretty good ... for instance, that final "invoice_viewer" was first seen on August 5th (yesterday) and currently as 29 of 42 detects at VirusTotal. However, the number of malware detections on VirusTotal - RIGHT NOW - is the number in Parentheses after the malware attachment name. See the 7? and the 11? Remember that these are WORST when the email is FRESH. Some of these are from August 1st.

What about RIGHT NOW?

I'm going to scan the next two email atttached zips that arrive and show you the detections of FRESH email-delivered malware.

Oh - since the three most recent ".zip" attached emails were in this category, I'll mention this here. Another current email-delivered .zip campaign is "Your private photo attached" and contains a zip named with a random word (My last one was "accosting.zip"). It had a zero of 42 detect as a zip file.

That's because it's not malware. Its the "randomly created image" showing that I should buy pills from "yes82.ru".

Wednesday, August 04, 2010

Tonight I had a message from one of my Facebook friends who was concerned that someone may have hacked her Facebook account. She was worried that she might get a virus by looking at the links they had posted on her behalf. I assured her not to worry -- if her Facebook account was sending links to other people's walls, she probably already had a virus. After digging a bit deeper, I'm not so sure.

The "One-Two" punch of this current Facebook attack is similar to some of the spamming malware. Some of the messages it sends are to generate profit for the cybercriminal, and some of the messages are to infect more users to build the criminal's delivery network.

Here is the first type of message -- the "profit" message:

This reminds me of a current "work at home mom" trend that some of my other friends are engaging in. There really is a weight loss multi-level marketing scheme right now where the participants are encouraged to make a website telling about "the plan" and then are told that making money is as easy as following the plan yourself, and posting your weight loss reports to all your Facebook friends. (Hope your happy and skinny, DG, I wouldn't know, I blocked you on facebook as soon as you started that crap!)

What happens if you follow the link? The link doesn't go to my friend's weight loss page. It goes to an Acai Berry affiliate sales "news" page that is supposed to look like a real "news" site that just happens to be featuring a story about the miracle of the Acai Berry.

Clicking anywhere on the "news" page takes you first to an affiliate tracker page:

tracker.cpaprosperity.net/affe?offer_id=500&aff_id=1161

and then to the sales page for their diet plan:

acaioptimum.com/?afil=az1007

The diet scam page is hosted by Black Rock Hosting on the IP address 64.38.201.205.

That was the "One" . . . here comes the "Two" of our One-Two Punch:

What's the other important purpose for Facebook besides getting your friends to join your Multi-Level Marketing Weightloss plan? Sending stupid videos to one another, right? Everyone knows that when one of your friends posts a link, you are required to immediately click on it, and the click the "Like" button. This is how people know that we are their friends. We "Like" all their stupid videos.

(Actually, I'm a big Facebook fan. My family communicates like crazy with it, and I enjoy sharing pictures with my friends and playing Bejeweled Blitz. But this is the part where I'm supposed to be all sarcastic...)

So, when my friend BG posted this message to all of her friends' walls, what would happen if they clicked on it?

The first thing is that it sends you to a website called "securitymeassures3.co.tv". That page is going to call some Javascript to find out what country you are in:

If you are in the US, you then load the webpage "explororjones.com/deel/deeus/"

If you are anywhere else in the world, you then load the webpage "explororjones.com/deel/deeint/"

Either way, the page that loads looks like this:

WAIT! How did I get logged out of Facebook? (you are supposed to say to yourself...) then you quickly type in your userid and password for Facebook on this other page, which is actually at "explororjones.com"

ExplororJones is hosted on that excellent Netherlands hosting company Worldstream. I don't recall Facebook moving their operations there. When a webpage that isn't really the company you are trying to log in to tries to convince you to login on the fake web page we call that phishing.

That's why I'm calling this particular attack "PhacePhish" - most phishing attacks start with a spam message that sends you a scary reason that you really need to log in to your bank RIGHT NOW. This one starts with a spammy Facebook message instead.

Sooo...does my friend have a virus?

No, its very very probable that my friend clicked on a "funny baby" or some other leading video on one of her friends' Facebook posts, believed she was logged out of Facebook, and logged back in, giving her password to the criminals. The criminals then can login as my friend and repost the message on all of their facebook pages. If they fall for it, then they'll tell their friends, and they'll tell their friends, and they'll tell their friends, and pretty soon we'll all be skinny and rich! Happy ending!

I'd call my friend and tell her all of this, but its 3:00 AM. I'll let her sleep a bit more while the criminals spread their message through her Facebook account. Wonder if the Facebook guys are awake . . . hmmmmmmmm....